LEGISLATION
also need to consider personal data about employees.
Step 5. Process according to data protection principles all personal data must be processed in accordance with data protection principles, and you must be able to document this through your policies and records. completing the Workbook for community Pharmacy (Part 3) will further help to demonstrate compliance.
Step 6. Review and check with your processors You must have data protection guarantees from anyone who processes personal data for you, such as your PMr supplier. Your existing contracts may confirm gdPr compliance, but if not, you will need to seek guarantees.
Step 7. Obtain consent if you need to consent or explicit consent is a lawful basis for processing personal data. Pharmacies already have a lawful basis for much of their data processing (as described in step 4), so are unlikely to need to seek consent for data processing. note that consent for data processing is not the same as consent for service provision, which will still be needed.
certain functions, such as direct marketing, may require consent, in which case you need to ensure the
consent is gdPr compliant and that you have a record of it.
Step 8. Tell people about your processes: the Privacy Notice a key principle of the gdPr is the provision of clear information to people about how their data is being used (or ‘processed’). this could be provided in the form of a privacy notice. Pharmacies will need to have this notice available on their premises and should draw it to the attention of new customers.
Step 9. Ensure data security the gdPr requires anyone processing personal data to take steps to ensure data security. Pharmacies should already have policies on data security, but you may need to seek assurances, eg, from PMr suppliers that all processed data will be secure. You may need to train staff on security of personal data.
Step 10. Consider personal data breaches Pharmacies must have policies and procedures in place to cover any data breaches. Breaches likely to affect people’s rights and freedom, for instance, the loss of a prescription bundle in a public place, must be reported to the Ico, and sometimes to the people affected.
reports to the Ico must include relevant information and be made without undue delay.
Step 11. Think about data subject rights the gdPr gives people a number of rights about how they can access and seek to control processing of their personal data. Your pharmacy must be aware of these and ready to respond to requests.
Step 12. Ensure privacy by design and default Privacy and data protection should be key considerations in the early stages of any project, such as installing a new It system. the gdPr makes considering data protection by design and default a legal requirement. Pseudonymisation of data is likely to be a useful data protection measure in many scenarios.
Step 13. Data protection impact assessment the gdPr requires that a data Protection Impact assessment (dPIa) be carried out for certain data processing activities where there is a high risk to the rights and freedoms of individuals. this includes all processing of healthcare data, but exemptions apply where data is processed to meet legal requirements or in the performance of a task in the public interest, or where an assessment was previously carried out. cPnI is awaiting Ico guidance, but believes that smaller pharmacies will not need to carry out a dPIa for normal dispensing practices
GDPR extra
McLernons have been preparing for the implementation of GDPR…
In 2017, Mclernons commissioned the services of data Protection Specialists to carry out a full audit of every aspect of its business, from the way the company transfers your data when it upgrades its systems to its anti-viral measures and security systems.
this has resulted in a substantial investment by Mclernons in various areas:
Backup for your pharmacy data – this is now even more secure and the software ‘calls home’ if there are issues, so that Mclernons can work pro-actively to protect your data.
the Microsoft azure cloud has been integrated as another offsite storage option for your backups and the team is working to get everyone migrated to the new system soon.
We have introduced stringent new ‘log in’ procedures, so that we can see exactly which member of staff has accessed your system, and we have strengthened our training procedures to remind all staff, from directors to Engineers, that they must always ask for your permission to log in to your system in order to help address a query you may have.
the gdPr specifies that Mclernons, as data processors, must adhere to certain data protection requirements in order to ensure that the personal data that it is processing on your behalf is kept as safe and secure as possible at all times.
Pictured (l-r): John Clark, Chairperson, CPNI; Kerry Grimes, Governance Pharmacist, CPNI; Tony Hughes, Associate Director, KPMG and Gerard Greene, Chief Executive, CPNI.
as your system vendor and data Processor, Mclernons has joint responsibilities with you, the data controller, and one of these is the completion of a data Processing agreement.
PharMacY In focUS - 45
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64
